[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL for IP restriction



At 03:42 PM 1/7/01 +0100, Torsten Curdt wrote:
>In our intraweb we use an openldap server that holds all user specific
>data (including auth information like crypted passwords etc.). All other
>machines auth against this ldap server.
>
>I now want to allow a machine from our perimeter net to authen against
>this ldap server as well. But only this one machine and only with very
>limited access.
>
>I'm a bit scared to open the firewall because the perimeter machine
>gets full LDAP access to the crypted passwords. So what I was thinking of
>was to limit the access based on the machines IP.

Assumptions:
        you are using OpenLDAP 1.2
        62.132.127.51 is the perimeter system

Note:
        no special access is necessary to bind
        addr=<regex> is the expected syntax
        order matters

So, make sure the first by clause of each access
directive is "by attr=62\.132\.127\.51 none".  This
will deny all access excepting bind (authentication).

I would also suggest use of TCP wrappers or host level
firewall software on the LDAP server host to restrict
access as well as appropriate rules on your internal/perimeter
firewall.

Configuring 2.0 is slightly different as 1) "auth" access
must be granted to userPassword to allow bind and 2) addr
was replaced with peername.